Browser Agent - Chrome CDP 自动化

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate browser automation skill, but it gives an agent broad control over real logged-in Chrome sessions without enough safety boundaries.

Install only if you intentionally want an agent to control a browser. Use a separate Chrome profile with non-sensitive accounts, keep CDP bound to localhost, avoid wildcard remote origins when possible, and require explicit confirmation before posting, deleting, submitting forms, evaluating scripts, or using it on sensitive sites such as banking, email, admin consoles, or password managers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to launch Chrome with remote debugging and a persistent user-data directory, then demonstrates navigation, clicking, typing, screenshots, and script execution, but it does not warn that this can expose existing cookies, sessions, saved credentials, and open tabs to the automation client. In the context of a browser-control skill, omission of these cautions materially increases the risk of unintended access to sensitive browser state and user accounts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The examples include high-impact actions such as bulk posting/deleting tweets, automatic likes/forwards, data collection, login automation, JavaScript evaluation, and long-lived session reuse without any cautionary guidance, approval checkpoints, or abuse boundaries. In a browser automation skill, these examples normalize destructive or privacy-invasive actions and could facilitate account misuse, unauthorized scraping, or modification of live services if copied directly.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly promotes reusing logged-in browser sessions, including cookies and existing authenticated state, but does not provide strong warnings, consent requirements, or scope restrictions. This is dangerous because an agent operating through a live authenticated session can access private data and perform account actions as the user, greatly increasing the risk of unauthorized data access or destructive actions if the task is mis-scoped or prompt-injected.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents scraping, form filling, content publishing, and cross-platform synchronization use cases without adequately warning about privacy, compliance, or destructive side effects. In this context, an AI-controlled browser with CDP access can collect sensitive information or submit unintended actions across multiple services, making misuse or accidental abuse more likely.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The examples explicitly mention bulk deleting and publishing social media posts without an explicit warning that these actions may be irreversible or high-impact. Because the skill is designed to operate on live logged-in sessions, mistakes, malicious prompts, or automation errors could cause immediate account-wide destructive changes with limited recovery options.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document explicitly promotes connecting to a real Chrome session that reuses existing login state, cookies, and background permissions, enabling an agent to act with the user's full authenticated browser context. In a browser-control skill, the absence of strong warnings, scope limits, and consent guidance materially increases the risk of unauthorized account actions, data exfiltration, or destructive changes across sites.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The report documents browser screenshots being saved to a local path but does not mention retention, sensitivity, or the risk that screenshots may capture account data, tokens, or other private page contents. In a browser-automation skill, silent local persistence of captured browser data is a real privacy and data-handling concern even if the report itself is only informational.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The report includes the title/content of an active browser tab, which can reveal user activity, account context, and potentially sensitive business or personal information unrelated to the test. In a browser-agent skill, exposing ambient browser context is more dangerous because the tool interacts with a live user browser session rather than an isolated test profile.

Ssd 3

Low

Confidence: 95% confidence
Finding: The screenshot result exposes an absolute local filesystem path containing the Windows username and home directory structure. This unnecessarily reveals environment details that can aid profiling, social engineering, or targeting of local artifacts, even if the direct impact is limited.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal